Hi all,
I"m kind of new to Splunk to maybe I am not using the right terms, but I need help with this scenario:
I have a stream of events indexed in my Splunk, where events can be "user_added" or "user_removed". I want to create a database with valid users, meaning that when I get "user_added" I will add the username to a new table, and when I get "user_removed" I will remove it from the table.
Thanks for your help
You need to create a KV Store Collection
(your DB), then start a Real-Time search
with script actions to call the REST Endpoints
(described in link below) to add and remove individual records.
You need to create a KV Store Collection
(your DB), then start a Real-Time search
with script actions to call the REST Endpoints
(described in link below) to add and remove individual records.
Can you please specify what you mean with "creating a database"? Do you want a Splunk report with all valid users, or do you really want to export the search results into a database?
I want this list to be available for other searchs, so I think I need to export the results, and not only that, I want to remove existing data according to new results